Re: RFC: mod_ssl features to dump for 2.5

2020-05-06 Thread Giovanni Bechis
On 5/6/20 1:01 PM, Joe Orton wrote: > On Wed, May 06, 2020 at 11:44:37AM +0100, Joe Orton wrote: >> On Mon, May 04, 2020 at 05:23:23PM +0200, Ruediger Pluem wrote: >>> On 5/4/20 3:49 PM, Joe Orton wrote: d) SSLRandomSeed. This might have made sense in 1998 but at least with OpenSSL 1.1.

Re: RFC: mod_ssl features to dump for 2.5

2020-05-06 Thread Joe Orton
On Wed, May 06, 2020 at 11:44:37AM +0100, Joe Orton wrote: > On Mon, May 04, 2020 at 05:23:23PM +0200, Ruediger Pluem wrote: > > On 5/4/20 3:49 PM, Joe Orton wrote: > > > d) SSLRandomSeed. This might have made sense in 1998 but at least with > > > OpenSSL 1.1.1 which has a rewritten and fork-safe

Re: RFC: mod_ssl features to dump for 2.5

2020-05-06 Thread Joe Orton
On Mon, May 04, 2020 at 05:23:23PM +0200, Ruediger Pluem wrote: > On 5/4/20 3:49 PM, Joe Orton wrote: > > d) SSLRandomSeed. This might have made sense in 1998 but at least with > > OpenSSL 1.1.1 which has a rewritten and fork-safe RAND, I think httpd > > should not be doing RAND seeding ever. C

Re: RFC: mod_ssl features to dump for 2.5

2020-05-04 Thread Ruediger Pluem
On 5/4/20 3:49 PM, Joe Orton wrote: > I'd like to gauge consensus on removing the following mod_ssl features > for 2.5. I am +1 (more or less strongly) on removing all the following: > > a) SSLInsecureRengotiation. If you haven't patched your clients for > CVE-2009-3555 there is no hope. T

Re: RFC: mod_ssl features to dump for 2.5

2020-05-04 Thread Joe Orton
On Mon, May 04, 2020 at 09:59:24AM -0400, Eric Covener wrote: > On Mon, May 4, 2020 at 9:49 AM Joe Orton wrote: > > c) Client-initiated renegotiation prevention mechanism. This was > > introduced mostly as a temporary workaround for CVE-2009-3555, and as > > the saying goes, there is nothing as p

Re: RFC: mod_ssl features to dump for 2.5

2020-05-04 Thread Eric Covener
On Mon, May 4, 2020 at 9:49 AM Joe Orton wrote: > > I'd like to gauge consensus on removing the following mod_ssl features > for 2.5. I am +1 (more or less strongly) on removing all the following: > > a) SSLInsecureRengotiation. If you haven't patched your clients for > CVE-2009-3555 there is no

RFC: mod_ssl features to dump for 2.5

2020-05-04 Thread Joe Orton
I'd like to gauge consensus on removing the following mod_ssl features for 2.5. I am +1 (more or less strongly) on removing all the following: a) SSLInsecureRengotiation. If you haven't patched your clients for CVE-2009-3555 there is no hope. This should definitely be removed. b) SSLRequire